orinoco_usb: Fix buffer on stack · tjh.dev/kernel@2f6ae79

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

orinoco_usb: Fix buffer on stack

Allocate buffer on HEAP instead of STACK for a local variable
that is to be sent using usb_control_msg().

Signed-off-by: Maksim Salau <maksim.salau@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

authored by

Maksim Salau and committed by

Kalle Valo 9 years ago 2f6ae79c bea35f90

+17 -4

1 changed file

expand all

drivers

net

wireless

intersil

orinoco

orinoco_usb.c

+17 -4

drivers/net/wireless/intersil/orinoco/orinoco_usb.c

··· 769 769 770 770 static inline int ezusb_8051_cpucs(struct ezusb_priv *upriv, int reset) 771 771 { 772 - u8 res_val = reset; /* avoid argument promotion */ 772 + int ret; 773 + u8 *res_val = NULL; 773 774 774 775 if (!upriv->udev) { 775 776 err("%s: !upriv->udev", __func__); 776 777 return -EFAULT; 777 778 } 778 - return usb_control_msg(upriv->udev, 779 + 780 + res_val = kmalloc(sizeof(*res_val), GFP_KERNEL); 781 + 782 + if (!res_val) 783 + return -ENOMEM; 784 + 785 + *res_val = reset; /* avoid argument promotion */ 786 + 787 + ret = usb_control_msg(upriv->udev, 779 788 usb_sndctrlpipe(upriv->udev, 0), 780 789 EZUSB_REQUEST_FW_TRANS, 781 790 USB_TYPE_VENDOR | USB_RECIP_DEVICE | 782 - USB_DIR_OUT, EZUSB_CPUCS_REG, 0, &res_val, 783 - sizeof(res_val), DEF_TIMEOUT); 791 + USB_DIR_OUT, EZUSB_CPUCS_REG, 0, res_val, 792 + sizeof(*res_val), DEF_TIMEOUT); 793 + 794 + kfree(res_val); 795 + 796 + return ret; 784 797 } 785 798 786 799 static int ezusb_firmware_download(struct ezusb_priv *upriv,